We perform continuous internal security tests. These tests are further backed by external penetration tests from security researchers – multiple times per year. Penetration tests cover network security aspects as well as common web application vulnerabilities as referenced in the OWASP Top 10.
Our APIs and Data Dictionary are publicly available. Further customers can automate backup retrieval at any time. If you’re interested in detailed security assurance and compliance information please contact us.
We apply principles like security-in-depth, need-to-know and least-privilege to reduce the chance of data leakage or loss by internal or external threats using different preventive, detective and mitigative controls.
In the case of a (security) incident, we’re prepared with regularly-tested incident response plans and 24/7 on-call staff to react immediately and appropriately.
Our security and compliance approach
We respect data privacy
Our customers are GDPR compliant by providing relevant features to comply with data subject rights. We ensure personal data doesn't leave the customer's jurisdiction or, if it does, we provide assurances of adequate data protection outside of customer jurisdiction.
Complete audit rights
We always ensure our customers and regulators can execute their supervisory function and have effective audit rights to Mambu’s business premises, processes and supply chain.
Isolation & control
Our customers can choose to have a dedicated Mambu deployment that is not shared with other Mambu customers, giving them further control over the environment and increase the isolation required by financial regulators.
SLAs and business continuity
We offer SLAs for uptime and resolution times on customer inquiries. Our disaster recovery procedures and business continuity plans are regularly tested. And our SaaS solution is cloud-agnostic and has no vendor lock-in with any specific cloud vendor.
Open banking platform
The Mambu platform provides APIs to implement the PSD2 regulation, allowing financial institutions to give third-party vendors access to end-customer data.
Security is embedded in all stages of the software development lifecycle (SDLC) at Mambu – from requirements engineering, programming and QA to deployment, monitoring, alerting and incident management.
Reporting security issues
To report any security issues, please contact the security on firstname.lastname@example.org Public GPG key. Our security team will respond as quickly as possible. We kindly ask you to not publicly disclose any security issue until it has been addressed by Mambu.